ALRC’s view

51.73 The Privacy Act should provide for notification by agencies and organisations to individuals affected by a data breach. This requirement is consistent with the Privacy Act’s objective to protect the personal information of individuals. Data breach notification can serve to protect the personal information from any further exposure or misuse, and encourages agencies and organisations to be transparent about their information-handling practices.

51.74 While the data breach notification requirement would operate separately to the requirements for the handling of personal information under the model UPPs,[120] a data breach may occur because an agency or organisation has failed to comply with its obligations in regards to the use and disclosure of personal information,[121] or has failed to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.[122] A data breach, therefore, could be an interference with privacy under the Privacy Act.

51.75 A data breach may also occur where an agency or organisation has been in compliance with the Privacy Act but the information it holds has been stolen or ‘hacked’ into. Alternatively, information may have been disclosed due to circumstances that were not foreseeable and, consequently, reasonable steps could not have been taken to prevent the breach.

51.76 Notification requirements are accordingly not reliant on establishing that an agency or organisation has not complied with its data security obligations. Nor are the provisions aimed at ‘punishing’ bodies when a breach occurs. Rather, the primary rationale for data breach notification laws is that notifying people that their personal information has been breached can help to minimise the damage caused by the breach.[123] Notification acknowledges the fact that a data breach potentially can expose an individual to a serious risk of harm. By arming individuals with the necessary information, they have the opportunity, for example, ‘to monitor their accounts, take preventative measures such as new accounts, and be ready to correct any damage done’.[124]

51.77 The view has been put to the ALRC that this rationale does not apply in the case of breaches by financial services institutions. It has been suggested that it is the bank (or other financial institution), not the customer, that is at risk of loss if unauthorised transactions are made to the customer’s account. It is the bank, not the customer that would be able to mitigate the potential damage. In the ALRC’s view, while it may be the financial institution that mitigates the financial damage, there has still been unauthorised access to the customer’s personal information. This access may occasion other non-financial risks. One of the fundamental principles underpinning the Privacy Act is that an individual should be informed about what happens to his or her personal information.[125]

51.78 While the loss of financial information—and the subsequent risk of identity theft and fraud—clearly is a concern, risks arising from data breaches are not limited to financial harm. Other types of personal information, such as health information, if disclosed, could subject a person to discriminatory treatment or damage to his or her reputation. Informing a person that such information has been disclosed makes that person aware of what may be the possible consequences of the breach.[126]

51.79 The legal requirement to notify in the case of serious breaches is necessary because, as explained above, there is a risk that the uncontrolled market may ‘undersupply notification’.[127] That is, because of the reputational damage to organisations that notification can cause, organisations may not have sufficient incentives to notify customers voluntarily of a data breach.[128]

51.80 A data breach notification requirement also can provide incentives to improve data security. The reputational damage that can follow a high-profile data breach, and the commercial consequences of such a breach, can provide powerful incentives to improve security.

51.81 Notification also plays an important role in keeping the market informed of the privacy practices of organisations. As Professor Robert Baldwin and Professor Martin Cave suggest, ‘competitive markets can only function properly if consumers are sufficiently well informed to evaluate competing products’.[129] In the absence of notification, a data breach causes an ‘information inadequacy’, as the organisation knows that there has been an unauthorised acquisition of an individual’s personal information, but the individual affected does not. Until the individual is notified of a data breach, therefore, there may be inadequate information in the market for individuals to evaluate the different information-handling practices of organisations.

51.82 Some organisations already may be subject to notification requirements under other federal legislation. For example, under s 912D of the Corporations Act 2001 (Cth),[130] a financial services licensee is required to notify ASIC where it has breached, or is likely to breach, certain obligations under the Act. Notification is required only where the breach, or likely breach, is significant.[131] While the ALRC notes concerns from stakeholders about adding another notification obligation, these requirements are to notify the regulator of breaches under the relevant Acts, not an individual who may be affected by the breach. In addition, these obligations are concerned with ensuring good corporate governance,[132] and not protecting the privacy of individuals.

Trigger for notification

Real risk of serious harm

51.83 The recommended data breach notification provisions should include a general requirement to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person; and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

51.84 There are several factors to note about this recommended triggering event. First, it sets a higher threshold for notification than is provided in most other tests. Rather than requiring notification of ‘any unauthorised acquisition’ of personal information, the recommended test allows the agency or organisation to investigate the data breach and make an assessment of whether the unauthorised acquisition may give rise to a real risk of serious harm to an individual. Serious harm is not limited to identity theft or fraud. The harm could include, for example, discrimination, if sensitive medical information was released.

51.85 In international law, the term ‘a real risk of serious harm’ has been defined to mean ‘a reasonable degree of likelihood’, ‘real and substantial danger’ and ‘a real and substantial risk’.[133] In the OPC’s draft Voluntary Information Security Breach Notification Guide, the OPC sets out a number of questions to evaluate the risks associated with the breach, including:

  • what personal information is involved (for example, how sensitive is it; could the information be used for fraudulent purposes);
  • what is the cause and extent of the breach (for example, is there a risk of ongoing breaches; is the information easily accessible; was the breach deliberate or inadvertent);
  • who is affected (for example, how many people; are they people particularly at risk of harm); and
  • what harm could result (for example, who is the recipient of the information; could the breach lead to fraud, financial loss or humiliation; what impact could the breach have on the organisation or agency concerned).[134]

51.86 Setting a higher threshold to where there is a real risk of serious harm should reduce the risk of ‘notification fatigue’—that is, where individuals receive so many notices of data breaches that it becomes difficult for them to assess which ones carry a serious risk of harm and which ones are minor in nature and consequence. A higher threshold for notification also should reduce the compliance burden on agencies and organisations.

51.87 It also is noted that the agency or organisation decides whether the triggering event has occurred. This will allow organisations and agencies to develop their own standards about what constitutes a real risk of serious harm in the context of their own operations.

51.88 The ALRC’s recommendation does, however, provide for oversight by the Privacy Commissioner. It is preferable that the decision to notify is made in consultation with the Privacy Commissioner, and that the Commissioner is able to require notification where he or she believes that the unauthorised acquisition gives rise to a real risk of serious harm to any affected individual. This oversight is similar to the model put forward by the CIPPIC and the Canadian Government Standing Committee on Access to Information, Privacy and Ethics. The Privacy Commissioner also could use this oversight power to require that notification be made to other bodies as appropriate, such as the major credit reporting agencies. It is not intended, however, that agencies and organisations consult with the Commissioner in cases where they are sure that the threshold for notification is not met.

51.89 The requirement to consult with the Privacy Commissioner on whether notification is required also will alert the Commissioner to possible systemic problems within an agency or organisation. Where an agency or organisation has notified the Commissioner of a number of breaches, the Commissioner may consider whether to investigate the matter on his or her own motion.[135] The Commissioner also may use multiple breach notifications as an indication that a Privacy Performance Assessment[136] would be appropriate.

51.90 Consistently with the ALRC’s view that the Privacy Act be technology neutral,[137] the requirement to notify should not be restricted to computerised information, but should apply to any unauthorised access to personal information—whether through a lost laptop; a hacker accessing electronic files; misplaced hard copy files; or careless disposal of hard copy personal information. This broad application should encourage compliance with the ‘Data Security’ principle.

Exceptions to notification

51.91 While the recommended triggering event set out above is narrower than that adopted in many states in the US, the ALRC acknowledges the concern expressed by stakeholders that there should be some discretion concerning the requirement to notify. There should also be clear examples of circumstances that are not likely to give rise to a real risk of serious harm. In DP 72, the ALRC took the approach that these examples should be listed as exceptions to the requirement to notify. Following comments made in submissions, the ALRC’s view is that these factors should be included as part of the assessment of whether there is a real risk of serious harm arising from the breach.

51.92 First, the provisions should state that, in determining whether there is a real risk of serious harm, consideration should be given to whether the specified personal information was encrypted adequately. The requirement that encryption be ‘adequate’ implicitly requires that the encryption key was not also acquired by the unauthorised person. In other words, encryption will not be adequate where there is an easy means of decoding the information. This phrasing also avoids any need to specify exactly what type of encryption is adequate. An assessment of adequacy will depend on the circumstances of the case, taking into account matters such as the type of personal information, the nature of the agency or organisation holding it, and the risk of harm that would be caused by its unauthorised acquisition. The Privacy Commissioner should issue guidance on the type and standard of encryption he or she generally will consider adequate.

51.93 The data breach notification provisions should provide that consideration be given to whether the information was acquired in good faith by an employee or agent, where the agency or organisation was otherwise acting for a purpose permitted by the model UPPs—provided that the personal information is not used or subject to further unauthorised disclosure. This would apply to situations where, for example, an employee accidentally gains unauthorised access to personal information of a customer in the process of collecting information for a permitted purpose. It would not cover situations where an employee is acting outside a purpose permitted by the privacy principles, such as where he or she is ‘snooping’ or accessing personal information for illegitimate purposes.[138] In those circumstances, however, the agency, organisation or Privacy Commissioner would still need to assess whether the unauthorised acquisition gave rise to a real risk of serious harm to the affected individual. If the information was not disclosed beyond the staff member, then it may be that there is no requirement to notify the affected individual.

51.94 The Privacy Commissioner should have a broad discretion to waive the notification requirement where the Commissioner does not consider that it would be in the public interest to notify. This would cover situations, for example, where there is a law enforcement investigation being undertaken into the breach and notification would impede that investigation, or where the information concerned matters of national security.[139]

‘Specified personal information’ for the purposes of notification

51.95 In US state data breach notification laws, only the combination of particular types of personal information gives rise to the obligation to notify. The US laws do not apply to the range of personal information which falls within the definition of ‘personal information’ in the Privacy Act.

51.96 The Privacy Act should adopt a definition of ‘specified personal information’ for the purposes of the data breach notification provisions. This definition should draw on the existing definitions of ‘personal information’ and ‘sensitive information’ in the Privacy Act and should prescribe what combinations of these types of information would, when acquired without authorisation, give rise to a real risk of serious harm requiring notification.

51.97 For example, adopting the approach of the US Interagency Guidance and CIPPIC definitions, ‘specified personal information’ could include information in electronic or paper form, which includes an individual’s name or address, in combination with any of the following:

  • driver’s licence or proof of age;
  • Medicare number—or other unique identifier, such as a tax file number;
  • account numbers, credit or debit card numbers, or other unique identifiers issued by other organisations together with any security code, password or access code that would permit access to the individual’s information; or
  • sensitive information (as defined in the Privacy Act).

51.98 The unauthorised acquisition of such information (whether in combination or alone) could arm a person with sufficient personal information to commit both an ‘account takeover’ and ‘true name fraud’, as defined above. The ALRC recognises that this suggested definition of ‘specified personal information’ is not limited to financial information, as suggested by Microsoft.[140] While preventing identity fraud is one of the key rationales for data breach notification, it is not the only consequence that can flow from an unauthorised acquisition of personal information. Discrimination, stalking, and other harmful consequences potentially could flow from a security breach. The recommended data breach notification provisions, therefore, should deal with more than simply ‘sensitive financial information’.

Other matters

51.99 The ALRC has not specified the form, content, method or timing of notification. As with the definition of ‘specified personal information’, however, there are elements of the US laws and CIPPIC proposal upon which the data breach notification law could be modelled. The model currently under consideration by the Privacy Commissioner in the draft voluntary Guide, as outlined above, is supported by the ALRC.

51.100 At a minimum, the content of breach notification should provide:

  • a description of the breach;
  • a list of the types of personal information that were disclosed; and
  • contact information for affected individuals to obtain more information and assistance.

51.101 The ALRC agrees with the view expressed in submissions that not all agencies and organisations will be able to make an assessment of the risk of identity fraud as a result of the breach, nor will they have expertise in how to mitigate any damage that might flow from the breach. To assist agencies and organisations, the OPC should consider developing, in consultation with relevant bodies such as the AFP, identity theft guidelines.

Method of notification

51.102 Ordinarily, a breach notification should be directed personally to the individual affected. Rather than prescribing the various methods by which an agency or organisation can notify an individual, it would be preferable to allow for the method of notification to be determined by the agency’s or organisation’s ordinary method of communicating with individuals. If, for example, an agency or organisation usually corresponds with an individual by post, then it should not provide notification by email. Agencies and organisations also should be able to have regard to any arrangements they have in place for contacting an individual in an emergency situation.

51.103 In relation to substituted notice, the ALRC does not recommend the setting of a particular threshold for allowing substituted notice, in terms of cost of notification or number of people to notify. It would be difficult to set a threshold that would be fair and reasonable to all the agencies and organisations subject to the Privacy Act, particularly if the small business exemption were removed.[141] It would be preferable to empower the Privacy Commissioner to approve substituted notice where he or she believes it is appropriate, reasonable and fair in all the circumstances.

Restriction of notification to residents of Australia

51.104 Microsoft has suggested that notification requirements should be restricted to residents of Australia, to avoid companies being subject to a myriad of notification rules across jurisdictions.[142]

51.105 As discussed in Chapter 5, the Privacy Act regulates the handling of personal information in Australia by federal departments and agencies, ACT public sector agencies, and private sector organisations, as defined under the Act.[143] The Privacy Act also generally applies to an act or practice engaged in outside Australia by an organisation, if the act or practice relates to personal information of an Australian citizen or permanent resident of Australia.[144] For the Privacy Act to apply extraterritorially, the organisation must be an Australian citizen; resident; a partnership, trust or body corporate formed in Australia (or an external Territory); or an unincorporated association that has its central management and control in Australia (or an external Territory).[145]

51.106 The general approach of the Privacy Act also should apply to the data breach notification provisions. Where a relevant data breach by an agency or organisation occurs within Australia, every affected individual should be notified, regardless of their citizenship or residency status. Where a breach occurs outside Australia by an organisation subject to the extraterritoriality provisions, Australian citizens and permanent residents should be covered by the Australian data breach notification requirements, to the same extent as they are by other protections under the Act.

Penalties

51.107 In Chapter 50, the ALRC recommends that the Privacy Act should be amended to allow a civil penalty to be imposed where there is a serious or repeated interference with the privacy of an individual.[146] In cases of serious interferences with privacy, civil financial penalties are likely to be effective against agencies and organisations by providing a strong incentive to comply with the Act. Civil penalties also should be pursued where they would have a worthwhile educative or deterrent effect.

51.108 On this basis, it would be appropriate to allow for a civil penalty to be imposed where an agency or organisation has failed to notify the Privacy Commissioner of a data breach. Such a penalty would provide a strong incentive for agencies and organisations to disclose data breaches where required, and encourage agencies and organisations to consult with the OPC where a data breach has occurred to ensure they are in full compliance with the requirements.[147] The presence of civil penalties also should provide incentives to train staff adequately to, for example, ensure that laptops are not left in airports, hard files are not left unsecured, electronic and hard copy information is disposed of appropriately, and electronic information is encrypted and secured adequately.

51.109 In Chapter 50, the ALRC recommends that the OPC develop and publish enforcement guidelines setting out the criteria upon which a decision to pursue a civil penalty under the Privacy Act would be made. In relation to a failure to notify the Commissioner of a data breach, civil penalties should be considered where: there was an apparent blatant disregard of the law; the agency or organisation has a history of previous contraventions of the law; or there was a significant public detriment arising from the breach.

Recommendation 51-1 The Privacy Act should be amended to include a new Part on data breach notification, to provide as follows:

(a) An agency or organisation is required to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individual.

(b) The definition of ‘specified personal information’ should include both personal information and sensitive personal information, such as information that combines a person’s name and address with a unique identifier, such as a Medicare or account number.

(c) In determining whether the acquisition may give rise to a real risk of serious harm to any affected individual, the following factors should be taken into account:

(i) whether the personal information was encrypted adequately; and

(ii) whether the personal information was acquired in good faith by an employee or agent of the agency or organisation where the agency or organisation was otherwise acting for a purpose permitted by the Privacy Act (provided that the personal information is not used or subject to further unauthorised disclosure).

(d) An agency or organisation is not required to notify an affected individual where the Privacy Commissioner considers that notification would not be in the public interest or in the interests of the affected individual.

(e) Failure to notify the Privacy Commissioner of a data breach as required by the Act may attract a civil penalty.

 

[120] Rec 18–2.

[121] See ‘Use and Disclosure’ principle set out at the front of this Report.

[122] See ‘Data Security’ principle set out at the front of this Report.

[123] See M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute; Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007).

[124] M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute, 3.

[125] Australian Government Office of the Federal Privacy Commissioner Consultation Paper—Draft Voluntary Information Security Breach Notification Guide (2008), 18.

[126] Law Council of Australia, Submission PR 527, 21 December 2007.

[127] M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) Information Policy Institute, 13.

[128] Ibid, 11.

[129] R Baldwin and M Cave, Understanding Regulation: Theory, Strategy and Practice (1999), 12.

[130] See also Superannuation Industry (Supervision) Act 1993 (Cth) s 29J.

[131]Corporations Act 2001 (Cth) s 912D(1)(b).

[132] For example, an entity must notify the regulator when a breach may mean the organisation cannot provide the financial services it is licensed to provide or clients may be subject to a loss: Ibid.

[133] See R v Secretary of State for the Home Department, Ex parte Sivakumaran [1988] AC 958.

[134] Australian Government Office of the Federal Privacy Commissioner Consultation Paper—Draft Voluntary Information Security Breach Notification Guide (2008), 23–25.

[135] See Chs 49, 50.

[136] See Ch 47.

[137] See Ch 10.

[138] See, eg, the ‘Centrelink Staff Sacked over Breaches’, Sydney Morning Herald (online), 22 August 2006, <www.smh.com.au>.

[139] Examples of when other public interests may outweigh the desirability of protecting privacy are given in other contexts in a number of chapters in this Report. Chapter 65 considers when the public interest in allowing particular research projects to proceed outweighs the public interest in maintaining the level of privacy protection provided by the privacy principles. Chapter 42 discusses the public interest in providing an exemption from the privacy principles for acts and practices conducted in the course of journalism. Chapter 74 considers when acts done in the public interest should be a defence to the statutory cause of action for a serious invasion of privacy.

[140] See Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[141] See Rec 39–1.

[142]Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[143]Privacy Act 1988 (Cth) s 6C.

[144] Ibid s 5B(1). There are some provisions excluded from this general rule which relate to the establishment of tax file number guidelines and credit reporting: J Douglas-Stewart, Annotated National Privacy Principles (3rd ed, 2007), [1–460].

[145]Privacy Act 1988 (Cth) s 5B(2).

[146] See also Rec 59–9, which recommends the imposition of a civil penalty for breaches of the credit reporting provisions.

[147] See B Arnold, ‘Losing It: Corporate Reporting on Data Theft’ (2007) 3 Privacy Law Bulletin 101, 103.